January 2018 Summaries
3 posts from Sonar
Filter
Month:
Year:
Post Summaries
Back to Blog
When a project with no real changes undergoes an upgrade in SonarQube, it may show a significant drop in coverage due to the introduction of Executable Lines, which counts the number of lines that can be executed by unit tests. This metric is now used as the denominator when calculating total coverage, allowing for more accurate results. The impact of this change is most notable when considering projects without any coverage at all or those with no data displayed initially. While not every line of code is executable, using Executable Lines provides a more comprehensive view of coverage, even if it means adjusting configuration settings and potentially re-configuring exclusions. The feature is available in recent versions of SonarQube and its supporting analyzers, including C#, Java, JavaScript, PHP, PL/SQL, Python, Swift, among others, with updates expected for other analyzers as well.
Jan 23, 2018
588 words in the original blog post.
The SecurityCubeCart is an open-source e-commerce solution that has two critical security vulnerabilities, CVE-2018-20716 and another one which allows an attacker to circumvent the authentication mechanism required to login as an administrator. The first vulnerability can be exploited through CubeCarts "I forgot my Password!" functionality by using a valid password reset token which is not present in the expected format, allowing an attacker to execute arbitrary code on the web server and steal all sensitive files and data. The second vulnerability is related to the `where()` method of the database class which introduces search modifiers that can be abused to bypass the authentication mechanism by prefixing a tilde character to the password reset token and using wildcard characters, resulting in an almost always true condition in the SQL query. Both vulnerabilities were reported to the vendor in October 2017 and fixed versions were released shortly after.
Jan 17, 2018
1,166 words in the original blog post.
The latest releases of the SonarQube Scanner for MSBuild (v4.0) and Sonarlint for Visual Studio (v3.8) now support analysis of .NET Core projects in the new MSBuild v15 format, as well as multiple platform output and analysis on non-Windows machines. The scanner also takes a pragmatic approach to combining issues across assemblies produced by such projects. Additionally, SonarLint for Visual Studio 2017 now supports both old-style and new-format MSBuild project files, while the SonarQube extension for VSTS is being rewritten in NodeJS to support non-Windows build agents.
Jan 10, 2018
835 words in the original blog post.